 Application |
 Compromission d'intégrité |
 Score : 1 / 4 |
2018-07-16 |
CERTFR-2018-AVI-324 |
De multiples vulnérabilités ont été découvertes dans Apple Wi-Fi Update for Boot Camp. Elles permettent à un attaquant de provoquer une atteinte à l'intégrité des données et une atteinte à la confidentialité des données. |
| Application |
 Déni de service |
 Score : 2 / 4 |
2018-07-16 |
CERTFR-2018-AVI-308 |
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Elles permettent à un attaquant de provoquer un déni de service, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données. |
| Application |
 Information |
 Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000615 |
ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network.. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Déni de service |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-323 |
Une vulnérabilité a été découverte dans VideoLAN VLC. Elle permet à un attaquant de provoquer une exécution de code arbitraire à distance et un déni de service à distance. |
| Application |
 Exécution à distance |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-307 |
De multiples vulnérabilités ont été découvertes dans Joomla!. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et une injection de code indirecte à distance (XSS). |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000614 |
ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Compromission d'intégrité |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-322 |
De multiples vulnérabilités ont été découvertes dans Mozilla Thunderbird. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une injection de requêtes illégitimes par rebond (CSRF). |
| Application |
Déni de service |
Score : 2 / 4 |
2018-07-16 |
CERTFR-2018-AVI-306 |
De multiples vulnérabilités ont été découvertes dans le noyau Linux de RedHat. Elles permettent à un attaquant de provoquer un déni de service et une atteinte à la confidentialité des données. |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000613 |
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs version prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code.. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application.. This vulnerability appears to have been fixed in 1.60 and later. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Déni de service |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-321 |
De multiples vulnérabilités ont été découvertes dans le noyau Linux d'Ubuntu . Elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et une atteinte à la confidentialité des données. |
| Application |
Exécution à distance |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-305 |
De multiples vulnérabilités ont été découvertes dans SCADA les produits Siemens. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une atteinte à la confidentialité des données. |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000611 |
SURFnet OpenConext EngineBlock version 5.7.0 to 5.7.3 contains a Cross Site Scripting (XSS) vulnerability that can result in Allows an attacker to inject arbitrary web scripts or HTML into help and login pages. This attack appear to be exploitable via the victim opening a specially crafted URL. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Déni de service |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-320 |
De multiples vulnérabilités ont été découvertes dans Google Android. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un déni de service à distance. |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CERTFR-2018-AVI-304 |
De multiples vulnérabilités ont été découvertes dans Google Chrome. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur. |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000610 |
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in DataBoundConfigurator.java, Attribute.java, BaseConfigurator.java, ExtensionConfigurator.java that allows attackers with access to Jenkins log files to obtain the passwords configured using Configuration as Code Plugin. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Déni de service |
Score : 2 / 4 |
2018-07-16 |
CERTFR-2018-AVI-319 |
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE . Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, un déni de service et une atteinte à la confidentialité des données. |
| Application |
Exécution à distance |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-303 |
De multiples vulnérabilités ont été découvertes dans les produits Fortinet. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS). |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000609 |
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in ConfigurationAsCode.java that allows attackers with Overall/Read access to obtain the YAML export of the Jenkins configuration. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Déni de service |
Score : 2 / 4 |
2018-07-16 |
CERTFR-2018-AVI-318 |
De multiples vulnérabilités ont été découvertes dans Citrix XenServer. Elles permettent à un attaquant de provoquer un déni de service. |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1002150 |
Koji version 1.12, 1.13, 1.14 and 1.15 contain an incorrect access control vulnerability resulting in arbitrary filesystem read/write access. This vulnerability has been fixed in versions 1.12.1, 1.13.1, 1.14.1 and 1.15.1. (CVSS:7.5) (Last Update:2018-05-18) |
| Application |
 Vulnérabilité locale |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000608 |
A exposure of sensitive information vulnerability exists in Jenkins z/OS Connector Plugin 1.2.6.1 and earlier in SCLMSCM.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured password. (CVSS:0.0) (Last Update:2018-07-03) |
| Application |
Déni de service |
Score : 2 / 4 |
2018-07-16 |
CERTFR-2018-AVI-317 |
De multiples vulnérabilités ont été découvertes dans les produits VMware . Elles permettent à un attaquant de provoquer un déni de service et une atteinte à la confidentialité des données. |
| Application |
 Alté de données |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1002100 |
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files. (CVSS:3.6) (Last Update:2018-07-03) |
| Application |
Alté de données |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000607 |
A arbitrary file write vulnerability exists in Jenkins Fortify CloudScan Plugin 1.5.1 and earlier in ArchiveUtil.java that allows attackers able to control rulepack zip file contents to overwrite any file on the Jenkins master file system, only limited by the permissions of the user the Jenkins master process is running as. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Déni de service |
Score : 2 / 4 |
2018-07-16 |
CERTFR-2018-AVI-316 |
De multiples vulnérabilités ont été découvertes dans Xen . Elles permettent à un attaquant de provoquer un déni de service et une atteinte à l'intégrité des données. |
| Application |
Alté de données |
 Score : 4 / 4 |
2018-07-16 |
CVE-2018-1000623 |
JFrog JFrog Artifactory version Prior to version 6.0.3, since version 4.0.0 contains a Directory Traversal vulnerability in The "Import Repository from Zip" feature, available through the Admin menu -> Import & Export -> Repositories, triggers a vulnerable UI REST endpoint (/ui/artifactimport/upload) that can result in Directory traversal / file overwrite and remote code execution. This attack appear to be exploitable via An attacker with Admin privileges may use the aforementioned UI endpoint and exploit the publicly known "Zip Slip" vulnerability, to add/overwrite files outside the target directory. This vulnerability appears to have been fixed in 6.0.3. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000606 |
A server-side request forgery vulnerability exists in Jenkins URLTrigger Plugin 0.41 and earlier in URLTrigger.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CERTFR-2018-AVI-315 |
Une vulnérabilité a été découverte dans HPE Integrated Lights-Out (iLO). Elle permet à un attaquant de provoquer une atteinte à l'intégrité des données. |
| Application |
Vulnérabilité locale |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000622 |
The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability appears to have been fixed in 1.27.1. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000605 |
A man in the middle vulnerability exists in Jenkins CollabNet Plugin 2.0.4 and earlier in CollabNetApp.java, CollabNetPlugin.java, CNFormFieldValidator.java that allows attackers to impersonate any service that Jenkins connects to. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Déni de service |
Score : 2 / 4 |
2018-07-16 |
CERTFR-2018-AVI-314 |
De multiples vulnérabilités ont été découvertes dans Xen. Elles permettent à un attaquant de provoquer un déni de service et un contournement de la politique de sécurité. |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000621 |
Mycroft AI mycroft-core version 18.2.8b and earlier contains a Incorrect Access Control vulnerability in Websocket configuration that can result in code execution. This impacts ONLY the Mycroft for Linux and "non-enclosure" installs - Mark 1 and Picroft unaffected. This attack appear to be exploitable remote access to the unsecured websocket server. This vulnerability appears to have been fixed in No fix currently available. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000604 |
A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Compromission d'intégrité |
Score : 1 / 4 |
2018-07-16 |
CERTFR-2018-AVI-313 |
Une vulnérabilité a été découverte dans Apple SwiftNIO. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données. |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000620 |
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000603 |
A exposure of sensitive information vulnerability exists in Jenkins Openstack Cloud Plugin 2.35 and earlier in Boot |
| Application |
Compromission d'intégrité |
Score : 1 / 4 |
2018-07-16 |
CERTFR-2018-AVI-312 |
Une vulnérabilité a été découverte dans le noyau Linux de SUSE. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données. |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000619 |
Ovidentia version 8.4.3 and earlier contains a Unsanitized User Input vulnerability in utilit.php, bab_getAddonFilePathfromTg that can result in Authenticated Remote Code Execution. This attack appear to be exploitable via The attacker must have permission to upload addons. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000602 |
A session fixation vulnerability exists in Jenkins SAML Plugin 1.0.6 and earlier in SamlSecurityRealm.java that allows unauthorized attackers to impersonate another users if they can control the pre-authentication session. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
 Elévation de privilèges |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-311 |
De multiples vulnérabilités ont été découvertes dans Magento. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données. |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000618 |
EOSIO/eos eos version after commit f1545dd0ae2b77580c2236fdb70ae7138d2c7168 contains a stack overflow vulnerability in abi_serializer that can result in attack eos network node. This attack appear to be exploitable via network request. This vulnerability appears to have been fixed in after commit cf7209e703e6d3f7a5413e0cb1fe88a4d8e4b38d . (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000601 |
A arbitrary file read vulnerability exists in Jenkins SSH Credentials Plugin 1.13 and earlier in BasicSSHUserPrivateKey.java that allows attackers with a Jenkins account and the permission to configure credential bindings to read arbitrary files from the Jenkins master file system. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CERTFR-2018-AVI-310 |
De multiples vulnérabilités ont été découvertes dans Google Chrome OS. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur et une élévation de privilèges. |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000617 |
Atlassian Floodlight Atlassian Floodlight Controller version 1.2 and earlier versions contains a Denial of Service vulnerability in Forwarding module that can result in Improper type cast in Forwarding module allows remote attackers to cause a DoS(thread crash).. This attack appear to be exploitable via network connectivity (Remote attack). (CVSS:0.0) (Last Update:2018-07-12) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000600 |
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Déni de service |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-309 |
De multiples vulnérabilités ont été découvertes dans Mozilla Firefox. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité. |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000616 |
ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onosdriversutilitiessrcmainjavaorgonosprojectdriversutilitiesXmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000559 |
qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week). (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Déni de service |
Score : 2 / 4 |
2018-07-16 |
CERTFR-2018-AVI-308 |
De multiples vulnérabilités ont été découvertes dans le noyau Linux de SUSE. Elles permettent à un attaquant de provoquer un déni de service, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données. |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000615 |
ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network.. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000558 |
OCS Inventory NG ocsreports 2.4 and ocsreports 2.3.1 version 2.4 and 2.3.1 contains a SQL Injection vulnerability in web search that can result in An authenticated attacker is able to gain full access to data stored within database. This attack appear to be exploitable via By sending crafted requests it is possible to gain database access. This vulnerability appears to have been fixed in 2.4.1. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Exécution à distance |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-307 |
De multiples vulnérabilités ont été découvertes dans Joomla!. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et une injection de code indirecte à distance (XSS). |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000614 |
ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000557 |
OCS Inventory OCS Inventory NG version ocsreports 2.4 contains a Cross Site Scripting (XSS) vulnerability in login form and search functionality that can result in An attacker is able to execute arbitrary (javascript) code within a victims' browser. This attack appear to be exploitable via Victim must open a crafted link to the application. This vulnerability appears to have been fixed in ocsreports 2.4.1. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Déni de service |
Score : 2 / 4 |
2018-07-16 |
CERTFR-2018-AVI-306 |
De multiples vulnérabilités ont été découvertes dans le noyau Linux de RedHat. Elles permettent à un attaquant de provoquer un déni de service et une atteinte à la confidentialité des données. |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000613 |
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs version prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code.. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application.. This vulnerability appears to have been fixed in 1.60 and later. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000556 |
WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacker must craft an URL with payload and send to the user. Victim need to open the link to be affected by reflected XSS. . (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Exécution à distance |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-305 |
De multiples vulnérabilités ont été découvertes dans SCADA les produits Siemens. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une atteinte à la confidentialité des données. |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000611 |
SURFnet OpenConext EngineBlock version 5.7.0 to 5.7.3 contains a Cross Site Scripting (XSS) vulnerability that can result in Allows an attacker to inject arbitrary web scripts or HTML into help and login pages. This attack appear to be exploitable via the victim opening a specially crafted URL. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000554 |
Trovebox version <= 4.0.0-rc6 contains a Unsafe password reset token generation vulnerability in user component that can result in Password reset. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CERTFR-2018-AVI-304 |
De multiples vulnérabilités ont été découvertes dans Google Chrome. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur. |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000610 |
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in DataBoundConfigurator.java, Attribute.java, BaseConfigurator.java, ExtensionConfigurator.java that allows attackers with access to Jenkins log files to obtain the passwords configured using Configuration as Code Plugin. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Exécution à distance |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-303 |
De multiples vulnérabilités ont été découvertes dans les produits Fortinet. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS). |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000609 |
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in ConfigurationAsCode.java that allows attackers with Overall/Read access to obtain the YAML export of the Jenkins configuration. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1002150 |
Koji version 1.12, 1.13, 1.14 and 1.15 contain an incorrect access control vulnerability resulting in arbitrary filesystem read/write access. This vulnerability has been fixed in versions 1.12.1, 1.13.1, 1.14.1 and 1.15.1. (CVSS:7.5) (Last Update:2018-05-18) |
| Application |
Vulnérabilité locale |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000608 |
A exposure of sensitive information vulnerability exists in Jenkins z/OS Connector Plugin 1.2.6.1 and earlier in SCLMSCM.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured password. (CVSS:0.0) (Last Update:2018-07-03) |
| Application |
Alté de données |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1002100 |
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files. (CVSS:3.6) (Last Update:2018-07-03) |
| Application |
Alté de données |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000607 |
A arbitrary file write vulnerability exists in Jenkins Fortify CloudScan Plugin 1.5.1 and earlier in ArchiveUtil.java that allows attackers able to control rulepack zip file contents to overwrite any file on the Jenkins master file system, only limited by the permissions of the user the Jenkins master process is running as. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Alté de données |
Score : 4 / 4 |
2018-07-16 |
CVE-2018-1000623 |
JFrog JFrog Artifactory version Prior to version 6.0.3, since version 4.0.0 contains a Directory Traversal vulnerability in The "Import Repository from Zip" feature, available through the Admin menu -> Import & Export -> Repositories, triggers a vulnerable UI REST endpoint (/ui/artifactimport/upload) that can result in Directory traversal / file overwrite and remote code execution. This attack appear to be exploitable via An attacker with Admin privileges may use the aforementioned UI endpoint and exploit the publicly known "Zip Slip" vulnerability, to add/overwrite files outside the target directory. This vulnerability appears to have been fixed in 6.0.3. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000606 |
A server-side request forgery vulnerability exists in Jenkins URLTrigger Plugin 0.41 and earlier in URLTrigger.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Vulnérabilité locale |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000622 |
The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability appears to have been fixed in 1.27.1. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000605 |
A man in the middle vulnerability exists in Jenkins CollabNet Plugin 2.0.4 and earlier in CollabNetApp.java, CollabNetPlugin.java, CNFormFieldValidator.java that allows attackers to impersonate any service that Jenkins connects to. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000621 |
Mycroft AI mycroft-core version 18.2.8b and earlier contains a Incorrect Access Control vulnerability in Websocket configuration that can result in code execution. This impacts ONLY the Mycroft for Linux and "non-enclosure" installs - Mark 1 and Picroft unaffected. This attack appear to be exploitable remote access to the unsecured websocket server. This vulnerability appears to have been fixed in No fix currently available. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000604 |
A persisted cross-site scripting vulnerability exists in Jenkins Badge Plugin 1.4 and earlier in BadgeSummaryAction.java, HtmlBadgeAction.java that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000620 |
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000603 |
A exposure of sensitive information vulnerability exists in Jenkins Openstack Cloud Plugin 2.35 and earlier in Boot |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000619 |
Ovidentia version 8.4.3 and earlier contains a Unsanitized User Input vulnerability in utilit.php, bab_getAddonFilePathfromTg that can result in Authenticated Remote Code Execution. This attack appear to be exploitable via The attacker must have permission to upload addons. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000602 |
A session fixation vulnerability exists in Jenkins SAML Plugin 1.0.6 and earlier in SamlSecurityRealm.java that allows unauthorized attackers to impersonate another users if they can control the pre-authentication session. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000618 |
EOSIO/eos eos version after commit f1545dd0ae2b77580c2236fdb70ae7138d2c7168 contains a stack overflow vulnerability in abi_serializer that can result in attack eos network node. This attack appear to be exploitable via network request. This vulnerability appears to have been fixed in after commit cf7209e703e6d3f7a5413e0cb1fe88a4d8e4b38d . (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000601 |
A arbitrary file read vulnerability exists in Jenkins SSH Credentials Plugin 1.13 and earlier in BasicSSHUserPrivateKey.java that allows attackers with a Jenkins account and the permission to configure credential bindings to read arbitrary files from the Jenkins master file system. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000617 |
Atlassian Floodlight Atlassian Floodlight Controller version 1.2 and earlier versions contains a Denial of Service vulnerability in Forwarding module that can result in Improper type cast in Forwarding module allows remote attackers to cause a DoS(thread crash).. This attack appear to be exploitable via network connectivity (Remote attack). (CVSS:0.0) (Last Update:2018-07-12) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000600 |
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Compromission d'intégrité |
Score : 1 / 4 |
2018-07-16 |
CERTFR-2018-AVI-342 |
Une vulnérabilité a été découverte dans le noyau Linux de SUSE . Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données. |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000616 |
ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onosdriversutilitiessrcmainjavaorgonosprojectdriversutilitiesXmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000559 |
qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via injected JavaScript code, a website can steal the user's browsing history. This attack appear to be exploitable via the victim must open a page with a specially crafted attribute, and then open the qute://history site via the :history command. This vulnerability appears to have been fixed in fixed in v1.3.3 (4c9360237f186681b1e3f2a0f30c45161cf405c7, to be released today) and v1.4.0 (5a7869f2feaa346853d2a85413d6527c87ef0d9f, released later this week). (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Déni de service |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-341 |
De multiples vulnérabilités ont été découvertes dans les produits Cisco . Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un déni de service à distance. |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000615 |
ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network.. (CVSS:0.0) (Last Update:2018-07-09) |
| Application |
Information |
Score : 1 / 4 |
2018-07-16 |
CVE-2018-1000558 |
OCS Inventory NG ocsreports 2.4 and ocsreports 2.3.1 version 2.4 and 2.3.1 contains a SQL Injection vulnerability in web search that can result in An authenticated attacker is able to gain full access to data stored within database. This attack appear to be exploitable via By sending crafted requests it is possible to gain database access. This vulnerability appears to have been fixed in 2.4.1. (CVSS:0.0) (Last Update:2018-06-26) |
| Application |
Déni de service |
Score : 3 / 4 |
2018-07-16 |
CERTFR-2018-AVI-340 |
De multiples vulnérabilités ont été découvertes dans SCADA Siemens . Elles permettent à un attaquant de provoquer un déni de service à distance. |
| Application |
Information |
Score : 3 / 4 |
2018-07-16 |
CVE-2018-1000614 |
ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message. (CVSS:0.0) (Last Update:2018-07-09) |
